Quoting Nicolas George (2020-01-12 14:28:06)
> Anton Khirnov (12020-01-07):
> > How is it any better in the unsigned case? You do a well-defined
> > unsigned overflow and end up with an invalid channel count (which might
> > even look sane).
> 
> I explained this: you can guard against defined behaviors, not against
> undefined behaviors, because the compilers are allowed to shunt the
> checks, and they do.

Your explanation does not make sense to me. Checking for negative values
is not guarding against overflow, it's "checking after the fact whether
overflow occurred". Any such checks, whether signed or unsigned, are
necessarily invalid and broken (hence the quotes). Guarding against
overflow must always be done by checking BEFORE the operation that might
overflow - again both for signed and unsigned.

From this angle, there is no difference between using signed and
unsigned values. The fact that in one case the overflow would have been
UB and the other wouldn't changes nothing here.

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to